Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Phishing Tactic Hides Tracks with Custom Fonts

The phishing campaign is using a new technique to hide the source code of its landing page – and stealing credentials from customers of a major U.S.-based bank.

An insidious phishing method evades detection using a never-before-seen technique that leverages custom fonts to cover its tracks.

Researchers at Proofpoint recently discovered an active credential harvesting phishing scheme. Once a victim has clicked on the initial phishing email, the resulting landing page looks like a login page for a major U.S. bank – but in reality the page is bent on stealing banking customers’ credentials, Chris Dawson, threat intelligence lead at Proofpoint, told Threatpost. The phishing kit uses custom web fonts to obfuscate the source code for the landing page – making it seem harmless.

“While encoded source code and various obfuscation mechanisms have been well documented in phishing kits, this technique appears to be unique for the time being in its use of web fonts to implement the encoding,” researchers at Proofpoint said in a Thursday analysis of the technique.

Click to Expand.

Upon further analyzing the landing page, researchers were surprised to find that the source code of the page includes unexpectedly encoded display text – even when it has been copied and pasted into a text file.

Behind this trick are Web Open Font Format (WOFF) files, which are web font files created in an open format that delivers webpage fonts. The base64-encoded woff and woff2 files install a substitution cipher.

Essentially the substitution ciphers replace the expected alphabetical letters shown to the victim on the page (“abcdefghi…”) with other letters in the source code.

For potential victims looking at the page, the trick means their browser renders the ciphered text as plaintext – essentially making the true purpose of the landing page harder to detect.

These substitution functions are also identified in the CSS code for the landing page, differing from those used in other phishing kits, which are frequently implemented in JavaScript.

The phishing technique has one other trick up its sleeve: Using the images of the bank’s branding in scalable vector graphics format, so that the logo and its source do not appear in the source code. That sidesteps the process of linking to actual logos and other visual resources, which could potentially be detected by the impersonated brand.

Dawson said that the phishing kit was first observed being used in May 2018 – but it is possible that the kit appeared in the wild earlier. And, it’s still being used, with a number of active domains hosting the kit.

Potential victims as always should be extremely careful about clicking URLs and going directly to bank websites instead of following links.

“This is really just one more way in which threat actors are looking to hide their tracks,” Dawson told us. “Whether that is through a variety of code mechanisms or new novel ways of getting around detection, it’s all just a matter of being more effective.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.